• Share this article:

Open Source Security at the Eclipse Foundation

Sunday, June 19, 2022 - 19:28 by Mike Milinkovich

Open source software is the single most important engine for innovation today. The ability to freely combine software components, frameworks, and platforms frees developers from constantly reinventing the wheel and allows them to focus on the new innovations that users want. Free software also enables business models to scale in ways that proprietary software would never allow. Globally and in all sectors of the economy, building on top of open source software is the dominant approach to delivering successful software systems today. 

However, with great success comes great responsibility. From Heartbleed to SolarWinds to Log4j, securing open source software and its global supply chain has never been more important. The reasons for this are many, but among them is that for too long open source has been treated by many of its consumers as “free as in free beer” where they should have been treating it as “free as in a free puppy.” Contributing to the sustainability of the projects and communities that deliver open source is really no longer a choice. It is a necessity.

At the Eclipse Foundation, we believe that foundations have a role to play in addressing the challenges of securing open source and its supply chain. Specifically, we want to provide services to our projects that help improve their security posture. But doing so requires additional staff and resources. That’s why we are so grateful for the financial support from the OpenSSF’s Alpha-Omega project, being announced today. This money will allow us to start building a team to roll out many of the ideas in our Open Source Software Supply Chain Best Practices document under the leadership of Mikael Barbero, our Head of Security. 

Some of the ways that we are going to put this funding to good use include:

  • Automate the generation of static source-based SBOMs for all Eclipse Foundation project repositories.
  • Implement a SLSA-based project badging program for Eclipse Foundation projects.
  • Initiate a number of security audits for high-profile Eclipse Foundation projects.

We are also going to provide regular and public updates to the community about our progress and initiatives.

Software security is a never-ending process. This funding is the first step in a journey. We appreciate the support of the Alpha-Omega project, and are committed to using it effectively.